CVE-2019-1680

A vulnerability in Cisco Webex Business Suite could allow an unauthenticated, remote attacker to inject arbitrary text into a user's browser. The vulnerability is due to improper validation of input. An attacker could exploit this vulnerability by convincing a targeted user to view a malicious URL. A successful exploit could allow the attacker to inject arbitrary text into the user's browser. The attacker could use the content injection to conduct spoofing attacks. Versions prior than 3.0.9 are affected.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.securityfocus.com/bid/106939	Broken Link Third Party Advisory VDB Entry
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-webex-injection	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:webex_business_suite::::::::
	cpe:2.3:a:cisco:webex_meetings_online::::::::

History

24 Mar 2023, 17:48

Type	Values Removed	Values Added
References	~~(BID) http://www.securityfocus.com/bid/106939 - Third Party Advisory, VDB Entry~~	(BID) http://www.securityfocus.com/bid/106939 - Broken Link, Third Party Advisory, VDB Entry

Information

Published : 2019-02-07 21:29

Updated : 2024-02-04 20:03

NVD link : CVE-2019-1680

Mitre link : CVE-2019-1680

CVE.ORG link : CVE-2019-1680

JSON object : View

Products Affected

cisco

webex_business_suite
webex_meetings_online

CWE

CWE-20

Improper Input Validation

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

{"id": "CVE-2019-1680", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV30": [{"type": "Secondary", "source": "ykramarz@cisco.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2019-02-07T21:29:00.250", "references": [{"url": "http://www.securityfocus.com/bid/106939", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "source": "ykramarz@cisco.com"}, {"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190206-webex-injection", "tags": ["Vendor Advisory"], "source": "ykramarz@cisco.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Secondary", "source": "ykramarz@cisco.com", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in Cisco Webex Business Suite could allow an unauthenticated, remote attacker to inject arbitrary text into a user's browser. The vulnerability is due to improper validation of input. An attacker could exploit this vulnerability by convincing a targeted user to view a malicious URL. A successful exploit could allow the attacker to inject arbitrary text into the user's browser. The attacker could use the content injection to conduct spoofing attacks. Versions prior than 3.0.9 are affected."}, {"lang": "es", "value": "Una vulnerabilidad en Cisco Webex Business Suite podr\u00eda permitir que un atacante remoto no autenticado inyecte texto arbitrario en el navegador de un usuario. Esta vulnerabilidad se debe a la validaci\u00f3n incorrecta de entradas. Un atacante podr\u00eda explotar esta vulnerabilidad convenciendo a un usuario objetivo para que visualice una URL maliciosa. Una explotaci\u00f3n con \u00e9xito podr\u00eda permitir que el atacante inyecte texto arbitrario en el navegador del usuario. El atacante podr\u00eda emplear la inyecci\u00f3n de contenido para llevar a cabo ataques de suplantaci\u00f3n. Las versiones anteriores a la 3.0.9 se han visto afectadas."}], "lastModified": "2023-03-24T17:48:18.200", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:webex_business_suite:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ACD68511-0F72-452B-9C6D-89669DA284B3", "versionEndExcluding": "3.0.9"}, {"criteria": "cpe:2.3:a:cisco:webex_meetings_online:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3460CBC2-AE10-4814-8FA5-0D110B7F6DC3", "versionEndExcluding": "1.3.42"}], "operator": "OR"}]}], "sourceIdentifier": "ykramarz@cisco.com"}